Merge pull request #5642 from oasisprotocol/kostko/feature/debug-nons…

…gx-pcs Add support for mock SGX builds
oasisprotocol · Apr 22, 2024 · 15c1c2c · 15c1c2c
2 parents 9c0ef31 + 85b7913
commit 15c1c2c
Show file tree

Hide file tree

Showing 41 changed files with 1,036 additions and 821 deletions.
diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml
@@ -186,6 +186,16 @@ steps:
       - buildkite-agent artifact upload simple-keyvalue-upgrade
       - buildkite-agent artifact upload simple-keymanager-upgrade
       - buildkite-agent artifact upload simple-rofl
+
+      # Build for mock SGX.
+      - cd /workdir
+      - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keymanager mocksgx
+      - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keyvalue mocksgx
+      - cd /var/tmp/artifacts/default/release
+      - mv simple-keymanager simple-keymanager.mocksgx
+      - mv simple-keyvalue simple-keyvalue.mocksgx
+      - buildkite-agent artifact upload simple-keymanager.mocksgx
+      - buildkite-agent artifact upload simple-keyvalue.mocksgx
     retry:
       <<: *retry_agent_failure
     plugins:
@@ -245,7 +255,7 @@ steps:
         --scenario e2e/runtime/keymanager-.+
     env:
       # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-      OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
+      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
       OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
       OASIS_E2E_COVERAGE: enable
       TEST_BASE_DIR: /tmp
@@ -272,7 +282,7 @@ steps:
       - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/.*
     env:
       # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-      OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
+      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
       OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
       OASIS_E2E_COVERAGE: enable
       OASIS_EXCLUDE_E2E: e2e/runtime/txsource-multi,e2e/runtime/txsource-multi-short
@@ -326,6 +336,27 @@ steps:
     plugins:
       <<: *docker_plugin
 
+  # E2E test jobs (mock SGX)
+  - label: E2E tests (mock SGX)
+    depends_on:
+      - "build-go"
+      - "build-rust-runtime-loader"
+      - "build-rust-runtimes"
+    command:
+      - trap 'buildkite-agent artifact upload "coverage-merged-e2e-*.txt;/tmp/e2e/**/*.log;/tmp/e2e/**/genesis.json;/tmp/e2e/**/runtime_genesis.json"' EXIT
+      - .buildkite/scripts/download_e2e_test_artifacts_mocksgx.sh
+      - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/runtime-encryption
+    env:
+      OASIS_TEE_HARDWARE: intel-sgx
+      OASIS_UNSAFE_MOCK_SGX: "1"
+      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+      OASIS_E2E_COVERAGE: enable
+      TEST_BASE_DIR: /tmp
+    retry:
+      <<: *retry_agent_failure
+    plugins:
+      <<: *docker_plugin
+
   ####################################
   # Rust coverage job.
   ####################################
@@ -382,7 +413,7 @@ steps:
           - .buildkite/scripts/test_upgrade.sh
         env:
           # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-          OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
+          OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
           OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
           TEST_BASE_DIR: /tmp
         agents:

diff --git a/.buildkite/rust/build_runtime.sh b/.buildkite/rust/build_runtime.sh
@@ -24,6 +24,11 @@ if [ ! -d $src_dir ]; then
 fi
 shift
 
+###############
+# Optional args
+###############
+mode=${1:-}
+
 source .buildkite/rust/common.sh
 
 #####################################################################
@@ -41,13 +46,22 @@ fi
 # Run the build
 ###############
 pushd $src_dir
-    # Build non-SGX runtime. Checking KM policy requires SGX, disable it.
-    CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/default" OASIS_UNSAFE_SKIP_KM_POLICY="1" cargo build --release --locked
-
-    # Build SGX runtime.
-    export CFLAGS_x86_64_fortanix_unknown_sgx="-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening"
-    export CC_x86_64_fortanix_unknown_sgx=clang-11
-    unset OASIS_UNSAFE_SKIP_KM_POLICY
-    CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/sgx" cargo build --release --locked --target x86_64-fortanix-unknown-sgx
-    CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/sgx" cargo elf2sgxs --release
+    case "${mode}" in
+        mocksgx)
+            # Mock SGX only.
+            unset OASIS_UNSAFE_SKIP_KM_POLICY
+            CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/default" cargo build --features debug-mock-sgx --release --locked
+            ;;
+        *)
+            # Build non-SGX runtime. Checking KM policy requires SGX, disable it.
+            CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/default" OASIS_UNSAFE_SKIP_KM_POLICY="1" cargo build --release --locked
+
+            # Build SGX runtime.
+            export CFLAGS_x86_64_fortanix_unknown_sgx="-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening"
+            export CC_x86_64_fortanix_unknown_sgx=clang-11
+            unset OASIS_UNSAFE_SKIP_KM_POLICY
+            CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/sgx" cargo build --release --locked --target x86_64-fortanix-unknown-sgx
+            CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/sgx" cargo elf2sgxs --release
+            ;;
+    esac
 popd
diff --git a/.buildkite/rust/common.sh b/.buildkite/rust/common.sh
@@ -7,6 +7,6 @@ source .buildkite/scripts/common.sh
 ####################
 # Set up environment
 ####################
-export OASIS_UNSAFE_LAX_AVR_VERIFY="1"
+export OASIS_UNSAFE_SKIP_AVR_VERIFY="1"
 export OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES="1"
 export RUST_BACKTRACE="1"
diff --git a/.buildkite/scripts/download_e2e_test_artifacts_mocksgx.sh b/.buildkite/scripts/download_e2e_test_artifacts_mocksgx.sh
@@ -0,0 +1,35 @@
+#! /bin/bash
+
+###############################################
+# Download common E2E build artifacts and make
+# sure they are in the correct directories for
+# E2E tests to run, etc, etc.
+###############################################
+
+# Helpful tips on writing build scripts:
+# https://buildkite.com/docs/pipelines/writing-build-scripts
+set -euxo pipefail
+
+source .buildkite/scripts/common.sh
+
+# Randomize beginning of downloads to increase hits in CI pipeline cache
+sleep $((RANDOM % 5))
+
+# Oasis node, test runner and runtime loader.
+download_artifact oasis-node go/oasis-node 755
+download_artifact oasis-node.test go/oasis-node 755
+download_artifact oasis-test-runner go/oasis-test-runner 755
+download_artifact oasis-test-runner.test go/oasis-test-runner 755
+
+# Runtime loader.
+download_artifact oasis-core-runtime-loader target/default/release 755
+
+# Simple key manager runtime.
+download_artifact simple-keymanager.mocksgx target/default/release 755
+mv target/default/release/simple-keymanager.mocksgx target/default/release/simple-keymanager
+download_artifact simple-keymanager.sgxs target/sgx/x86_64-fortanix-unknown-sgx/release 755
+
+# Test simple-keyvalue runtime.
+download_artifact simple-keyvalue.mocksgx target/default/release 755
+mv target/default/release/simple-keyvalue.mocksgx target/default/release/simple-keyvalue
+download_artifact simple-keyvalue.sgxs target/sgx/x86_64-fortanix-unknown-sgx/release 755
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -1,6 +1,4 @@
 [advisories]
 ignore = [
-    "RUSTSEC-2020-0071", # Remove once upstream dependencies are updated.
-    "RUSTSEC-2021-0124", # Remove once upstream dependencies are updated.
     "RUSTSEC-2023-0071", # Does not affect our current use of the library.
 ]
diff --git a/.changelog/5642.internal.md b/.changelog/5642.internal.md
@@ -0,0 +1,4 @@
+Add support for mock SGX builds
+
+This makes it easier to test various features even when SGX hardware is
+not available.